WO2020135232A1 - Malicious sample detection method, apparatus and system, and storage medium - Google Patents

Malicious sample detection method, apparatus and system, and storage medium Download PDF

Info

Publication number
WO2020135232A1
WO2020135232A1 PCT/CN2019/126752 CN2019126752W WO2020135232A1 WO 2020135232 A1 WO2020135232 A1 WO 2020135232A1 CN 2019126752 W CN2019126752 W CN 2019126752W WO 2020135232 A1 WO2020135232 A1 WO 2020135232A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
malicious
virtual machine
mode
log
Prior art date
Application number
PCT/CN2019/126752
Other languages
French (fr)
Chinese (zh)
Inventor
周海生
马苏安
郝林成
徐洲
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020135232A1 publication Critical patent/WO2020135232A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors

Definitions

  • the present disclosure relates to the technical field of network security, and in particular, to a malicious sample detection method, device, system, and storage medium.
  • the dynamic behavior analysis of malicious samples is an analysis method that runs malicious samples in a real computer operating environment and analyzes the log information to identify malicious samples.
  • most of the current malware, viruses or backdoors have the latent feature of time dimension, that is, they will not perform malicious operations immediately after infecting the host machine, but will be latent to run for a period of time before performing malicious behavior, dynamic behavior analysis
  • the analysis time is fixed and relatively short, which makes it difficult to capture malicious behaviors of malicious samples, unless a large amount of useless waiting time is consumed to increase the accuracy of analysis in a way that reduces efficiency. Even so, some malicious people with long-term latent behaviors The sample, because it is impossible to wait indefinitely, cannot obtain its malicious behavior.
  • the main purpose of the present disclosure is to provide a malicious sample detection method, device, system, and storage medium, which are designed to quickly trigger the time latent behavior of malicious samples through time shifting, and improve the efficiency and success rate of malicious sample dynamic behavior analysis.
  • the malicious sample detection method includes the following steps: when the time-variable mode of the virtual machine is started, the measured object is obtained A log of the sample in the time-variable mode of the virtual machine; analyze whether the log in the time-variable mode has malicious behavior; if the log has malicious behavior, then judge according to the type of the time-variable mode The type of latent behavior in the time dimension of the tested sample.
  • the present disclosure also provides a malicious sample detection device.
  • the malicious sample detection device includes an acquisition module, an analysis module, and a determination module, wherein: the acquisition module 10 activates the time-variable mode of the virtual machine and acquires the tested sample in the virtual The log in the time-variable mode of the computer; the analysis module 20 analyzes whether the log in the time-variable mode has malicious behavior; the determination module 30, if the log has malicious behavior, according to the time-variable mode The type determines the type of latent behavior in the time dimension of the tested sample.
  • the malicious sample detection system includes: a memory, a processor, and a malicious sample detection stored on the memory and operable on the processor Program, when the malicious sample detection program is executed by the processor, the steps of the malicious sample detection method described above are implemented.
  • the present disclosure also provides a storage medium on which a malicious sample detection program is stored, and when the malicious sample detection program is executed by the processor, the steps of the malicious sample detection method described above are implemented .
  • FIG. 1 is a schematic diagram of a terminal structure of a hardware operating environment involved in an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a first embodiment of a malicious sample detection method of the present disclosure
  • FIG. 3 is a schematic diagram of a timeline of a combined scheme for detecting a malicious sample of the present disclosure
  • FIG. 4 is a schematic diagram of functional modules of a malicious sample detection device of the present disclosure.
  • the main solution of the embodiments of the present disclosure is to: start the time-variable mode of the virtual machine, obtain the log of the tested sample in the time-variable mode of the virtual machine; analyze whether the record log in the time-variable mode There is malicious behavior; if there is malicious behavior in the recording log, the type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode.
  • the present disclosure realizes that by accelerating the system time lapse of the virtual machine and quickly triggering the time latent behavior of the malicious sample through the time speed change, the efficiency and success rate of the dynamic behavior analysis of the malicious sample are improved.
  • An embodiment of the present disclosure proposes a solution that can accelerate the system time lapse of a virtual machine, quickly trigger the time latent behavior of malicious samples through time shifting, and improve the efficiency and success rate of malicious sample dynamic behavior analysis.
  • FIG. 1 is a schematic diagram of a terminal structure of a hardware operating environment involved in a solution of an embodiment of the present disclosure.
  • the terminal of the embodiment of the present disclosure is a malicious sample detection device.
  • the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection communication between these components.
  • the user interface 1003 may include a display (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as a disk memory.
  • the memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
  • the terminal may further include a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and so on.
  • sensors such as light sensors, motion sensors and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display screen according to the brightness of the ambient light, and the proximity sensor may turn off the display screen when the terminal device moves to the ear And/or backlight.
  • the terminal can also be configured with other sensors such as gyroscopes, barometers, hygrometers, thermometers, and infrared sensors, which will not be repeated here.
  • FIG. 1 does not constitute a limitation on the terminal, and may include more or less components than those illustrated, or combine certain components, or have different component arrangements.
  • the memory 1005 as a computer storage medium may include an operation terminal, a network communication module, a user interface module, and a malicious sample detection program.
  • the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server;
  • the user interface 1003 is mainly used to connect to the client (user) and perform data communication with the client;
  • the processor 1001 can be used to call a malicious sample detection program stored in the memory 1005 and perform the following operations: start the time-variable mode of the virtual machine, obtain a log of the tested sample in the time-variable mode of the virtual machine; analyze in Whether there is malicious behavior in the recording log in the time variable speed mode; if there is malicious behavior in the recording log, the latent behavior type of the time dimension of the tested sample is determined according to the type of the time variable speed mode.
  • the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: set the first start time, the first end time, and the linear speed multiple of the linear shift mode; after the first Start the linear variable speed mode at the beginning; run the virtual machine at a running speed of a preset normal speed linear speed multiple to the first end time; obtain the tested sample at the first start time and the The record log between the first end moments is used as the record log of the tested sample in the linear shift mode.
  • the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: set the second start time, the second end time, the skip time, and the third end of the shift speed change mode Time; start the jump speed change mode at the second start time; control the virtual machine to run over the skip time to the second end time; at the second end time, control the The virtual machine runs at a preset normal rate until the third end time; obtain a log of the tested sample between the second end time and the third end time, as the tested sample changes in the transition Logging in mode.
  • the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: run the virtual machine at a preset normal rate, obtain a log of the tested sample; Whether the log at the normal rate has malicious behavior; if the log at the preset normal rate has malicious behavior, it is determined that the sample under test has no latent behavior in the time dimension; if it does not exist, the steps are executed: Start the time varying mode of the virtual machine, and obtain a log of the tested sample in the time varying mode of the virtual machine.
  • the processor 1001 may call a malicious sample detection program stored in the memory 1005, and further perform the following operations: if the recording log exhibits malicious behavior, then obtain the type of the time shift mode; shift according to the time The type of pattern determines the type of latent behavior in the time dimension of the tested sample.
  • the processor 1001 may call a malicious sample detection program stored in the memory 1005, and further perform the following operation: if the recorded log does not have malicious behavior, it is determined that the measured sample does not have latent behavior in the time dimension.
  • the malicious sample detection terminal calls the malicious sample detection program stored in the memory 1005 through the processor 1001 to implement the step of starting the time-varying mode of the virtual machine, and obtaining the tested sample in the virtual machine
  • the log in the time-variable mode analyze whether the log in the time-variable mode has malicious behavior; if the log has malicious behavior, determine the test sample according to the type of the time-variable mode Types of latent behavior in the time dimension.
  • FIG. 2 is a schematic flowchart of a first embodiment of a malicious sample detection method of the present disclosure.
  • the first embodiment of the present disclosure provides a malicious sample detection method.
  • the malicious sample detection method is applied to a virtual machine.
  • the malicious sample detection method includes the following steps:
  • Step S1 start the time variable mode of the virtual machine, and obtain a log of the tested sample in the time variable mode of the virtual machine;
  • an operating system capable of running a virtual machine is installed in the host host, and then a client system is installed on the virtual machine, and then the host machine transmits the tested sample to the client in the virtual machine through a shared folder ⁇ End system.
  • the operating system is an operating system supported by the virtual machine, the speed change effect can be achieved, such as windows, linux, etc.
  • the time shift mode in this embodiment includes a linear shift mode and a jump shift mode.
  • linear variable speed refers to increasing or decreasing the system time running rate in the virtual machine, mainly by accelerating the system time flow rate in the virtual machine to accelerate the malicious behavior of triggering the timing-triggered malicious sample.
  • the time variable speed mode is the linear variable speed mode
  • the system time flow rate becomes N times the preset normal rate, and at the same time, the running speed of the tested sample in the virtual machine system also becomes N times its running speed in the real world If the tested sample is a time-triggered malicious sample, its malicious behavior in the current virtual machine will be triggered and released in advance, and the malicious behavior will be captured by analyzing the log of the tested sample during the speed change.
  • Jump speed change refers to jumping the system time in a virtual machine to another future time point in a short time, and is mainly used to accelerate the malicious behavior of triggering a time-triggered malicious sample.
  • the time variable speed mode is the jump variable speed mode
  • the system time jumps from the current time point to another future time point in a short time. If the measured sample is a time-triggered malicious sample, when it is determined that the current time point is equal to or greater than At the triggering moment of the malicious sample, the latent condition of the regularly-triggered malicious sample is triggered to release the malicious behavior, and the recorded log of the tested sample after jumping and changing speed is recorded and analyzed, thereby capturing the malicious behavior.
  • the above two time shift modes can be implemented separately or combined together.
  • the preferred solution of this embodiment is to implement the above two time shift modes in combination.
  • the above two ways to change the time running frequency or step value of the virtual machine vary according to the software type of the virtual machine. If the software type of the virtual machine is open source, such as the QEMU virtual machine, you can modify the code module that provides the system clock in the open source code to achieve variable speed; if the software type of the virtual machine is closed source, such as vmware, you can modify config.
  • the parameter host.cpukHz of the ini configuration file achieves the purpose of variable speed; other types of virtual machines without related configuration files can modify the clock frequency of the system clock through reverse engineering to achieve the purpose of variable speed.
  • Step S2 Analyze whether there is malicious behavior in the recording log under the time variable mode
  • Record logs include but are not limited to API call records and call parameters during the running of the tested samples, network access records, strings parsed by malicious samples, domain names, running screenshots, read and write problems, released files, network behaviors, etc.
  • step S3 if malicious behavior exists in the recording log, the type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode.
  • the time latent behavior of the malicious sample is quickly triggered by speeding up the system time lapse of the virtual machine through time shifting, and the efficiency and success rate of malicious sample dynamic behavior analysis are improved.
  • step S1 further includes:
  • Step S101 Run the virtual machine at a preset normal rate, and obtain a log of the tested sample in real time;
  • the virtual machine system before starting the time varying mode of the virtual machine, can be run at a preset normal rate synchronized with the real-world time lapse speed, and the record of the tested sample at the preset normal rate can be obtained in real time Log.
  • Step S102 Analyze whether there is malicious behavior in the recording log at a preset normal rate
  • Step S103 if there is malicious behavior in the recording log at the preset normal rate, it is determined that there is no latent behavior in the time dimension in the tested sample;
  • the step is executed: starting the time-variable mode of the virtual machine, and obtaining a log of the tested sample in the time-variable mode of the virtual machine.
  • the tested sample has malicious behavior in the recording log at a preset normal rate, it means that the tested sample is a malicious sample, and since the malicious sample can be triggered at a normal time flow rate, it does not exist The latent behavior in the time dimension, so the tested sample is determined to be a malicious sample without latent behavior in the time dimension. At the same time, if the tested sample is determined to be a malicious sample without latent behavior in the time dimension, it can be stopped at the preset detection stop time This test.
  • step S1 is executed.
  • the malicious sample detection method proposed in this embodiment realizes that by running the tested sample at a preset normal rate, recording and analyzing the log of the tested sample in the process of running at the preset normal rate, so that there is no latent time dimension Malicious samples of behavior are detected, avoiding the use of subsequent variable speed steps, to achieve the effect of improving analysis efficiency.
  • the time shift mode includes a linear shift mode, before step S1 above Also includes:
  • Step S101 Set the first start time, the first end time and the linear speed multiple of the linear shift mode
  • N value is a positive floating point number, the theoretical value range is 0 ⁇ + ⁇ .
  • N When N is equal to 0, the time in the virtual machine system no longer increases, the operation of the virtual machine system stops, and the system time stops; when N is greater than 0 and N is less than 1, the virtual machine system runs slower, and the virtual machine system time is relatively real World time becomes slow; when N equals 1, the virtual machine system runs normally, and the virtual machine system time equals the real world time; when N is greater than 1, the virtual machine system runs faster, and the virtual machine system time becomes faster relative to the real world time.
  • the linear shift mode is preferably N greater than 1.
  • step S1 includes: step S11, starting the linear speed change mode at the first starting time; step S12, running the virtual machine to the virtual machine at a running speed of a preset normal speed linear speed multiple The first end time; step S13, obtaining in real time a recording log of the tested sample between the first starting time and the first ending time, as a recording log of the tested sample in the linear shift mode .
  • TLstart automatically triggers the operation of the linear variable speed mode, runs the virtual machine to TLstop at an operating rate of N times the real-world time lapse speed, and obtains the log of the tested sample during the linear speed change, that is, between TLstart and TLstop The recorded log is used as the recorded log of the tested sample in the linear variable speed mode.
  • the tested sample is run at a variable speed in the virtual machine system, and the log of the tested sample during the running at a variable speed is recorded and analyzed, thereby providing support for subsequent malicious behavior analysis.
  • the time shift mode includes a jump shift mode
  • the above step S1 It also includes:
  • Step S101 Set the second start time, the second end time, the skip time, and the third end time of the jump speed change mode
  • TJstart, TJstop, and Tstop are real-world time
  • the jump landing point is the virtual system time point after the virtual machine system time passes the jump.
  • ⁇ T is a positive floating-point number, and the theoretical value range is 0 ⁇ + ⁇ .
  • step S1 includes: step S14, starting the jump speed change mode at the second starting moment; step S15, controlling the virtual machine to run to the Second end time; Step S16, at the second end time, control the virtual machine to run at a preset normal rate to the third end time; Step S17, obtain the tested sample at the second end time and all The record log between the third end times is used as the record log of the tested sample in the jump speed change mode.
  • TJstart automatically triggers the running jump speed change mode, controls the virtual machine to jump from the second end time TJstop to the jump landing point time, and at TJstop controls the virtual machine to run at a preset normal rate to the third end time Tstop, Obtain the test log of the tested sample after the jump and shift process, that is, the log between TJstart and Tstop, as the test log in the jump and shift mode.
  • the reason for not recording and analyzing the dynamic behavior of the tested sample during the jump speed change process ie, TJstart to TJstop
  • the reason for not recording and analyzing the dynamic behavior of the tested sample during the jump speed change process is because the time that the virtual machine system has jumped may be very long. If you want to test the sample during this process, The recording and analysis of dynamic behavior consumes a lot of resources, which is contrary to the original intention of the present disclosure. Therefore, only the recording log of the tested sample after the jump and variable speed process is recorded and obtained.
  • the virtual machine system time corresponding to the second end time first start time + skip time
  • the virtual machine system time corresponding to the third end time first start time + skip time + ( Three end moments-second end moment).
  • the malicious sample detection method provided in this embodiment implements variable-speed running of the tested sample in the virtual machine system, and records and analyzes the log of the tested sample after the transition of the variable-speed running process, thereby providing support for subsequent malicious behavior analysis.
  • the third embodiment and the fourth embodiment can be implemented separately, that is, in the virtual machine system, the linear speed change mode or the jump speed change mode is run separately; the two embodiments can also be implemented in combination, for example, as shown in FIG. 3,
  • the process of running at the preset normal rate can be interspersed before and after running the linear shift mode and the jump shift mode. Not limited here.
  • step S2 further includes:
  • Step S21 If there is no malicious behavior in the recording log, it is determined that there is no latent behavior in the time dimension in the tested sample.
  • the linear variable speed mode or the single jump variable speed mode can be run separately, or a combination of the two embodiments can be implemented. If after the above various modes, no malicious behavior of the tested sample is detected, the judgment is determined It is stated that there is no probability of latent behavior in the time dimension of the tested sample.
  • step S3 includes: step S31, if there is malicious behavior in the recording log, the type of the time variable speed mode is acquired; step S32, the type of the time dimension latent behavior of the tested sample is determined according to the type of the time variable speed mode .
  • if there is malicious behavior in the log first obtain the type of the time variable mode in the virtual machine system, and then determine whether the type of latent behavior in the time dimension of the sample under test is time-triggered or time-triggered according to the type of time-variable mode .
  • the technical solution proposed by the embodiments of the present disclosure solves the dynamic behavior analysis of malicious samples in some cases. It is an analysis method that runs malicious samples in a real computer operating environment and analyzes log information to identify malicious samples.
  • most of the current malware, viruses or backdoors have the latent feature of time dimension, that is, they will not perform malicious operations immediately after infecting the host machine, but will be latent to run for a period of time before performing malicious behavior, dynamic behavior analysis
  • the analysis time is fixed and relatively short, which makes it difficult to capture malicious behaviors of malicious samples, unless a large amount of useless waiting time is consumed to increase the accuracy of analysis in a way that reduces efficiency. Even so, like some with long-term latent behaviors A malicious sample, because it is impossible to wait indefinitely, cannot obtain its malicious behavior.
  • FIG. 4 is a schematic diagram of functional modules of the present disclosure.
  • the present disclosure also provides a scanning device.
  • the scanning device includes: an acquisition module 10 that starts a time-variable mode of the virtual machine to obtain a log of a tested sample in the time-variable mode of the virtual machine; an analysis module 20 To analyze whether the recorded log in the time variable speed mode has malicious behavior; the determination module 30, if the recorded log has malicious behavior, determine the time dimension latent behavior of the tested sample according to the type of the time variable speed mode Types of.
  • the implementation of the malicious sample detection and detection device of the present disclosure is basically the same as the embodiments of the malicious sample detection method, and details are not described herein again.
  • the present disclosure provides a storage medium that stores one or more programs, and the one or more programs may also be executed by one or more processors to implement any of the above Steps of malicious sample detection method.
  • the embodiments of the storage medium of the present disclosure are basically the same as the embodiments of the malicious sample detection method, which will not be repeated here.
  • the malicious sample detection method, device, system and storage medium proposed by the present disclosure obtain the log of the tested sample in the time-varying mode of the virtual machine by starting the time-varying mode of the virtual machine; Whether the recording log under the variable speed mode has malicious behavior; if the recording log has malicious behavior, determine the type of latent behavior in the time dimension of the tested sample according to the type of the time variable speed mode.
  • the present disclosure realizes the time latent behavior of quickly triggering malicious samples through time shifting, and improves the efficiency and success rate of malicious sample dynamic behavior analysis.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed are a malicious sample detection method, apparatus and system and a storage medium. The method comprises: starting a time shift mode of a virtual machine, and acquiring a record log of a detected sample in the time shift mode of the virtual machine (S1); analyzing whether there is malicious behavior in the record log in the time shift mode (S2); and if there is malicious behavior in the record log, determining a time dimension latent behavior type of the detected sample according to the type of time shift mode (S3).

Description

恶意样本检测方法、装置、系统及存储介质Malicious sample detection method, device, system and storage medium
本公开要求享有2018年12月26日提交的名称为“恶意样本检测方法、装置、系统及存储介质”的中国专利申请CN201811604795.1的优先权,其全部内容通过引用并入本文中。This disclosure claims the priority of the Chinese patent application CN201811604795.1, entitled "Malicious Sample Detection Method, Device, System, and Storage Media," filed on December 26, 2018, the entire contents of which are incorporated herein by reference.
技术领域Technical field
本公开涉及网络安全技术领域,尤其涉及一种恶意样本检测方法、装置、系统及存储介质。The present disclosure relates to the technical field of network security, and in particular, to a malicious sample detection method, device, system, and storage medium.
背景技术Background technique
互联网时代的到来为人们的生活、学习和工作带来了极大的便利,但同时也伴随着越来越重要的网络安全问题,越来越多的恶意软件在网络上肆意横行,为人们的生活、学习和工作带来了很大的隐患,各大安全厂商都在寻求更好的恶意文件检测方法。The advent of the Internet era has brought great convenience to people’s lives, studies and work, but it is also accompanied by more and more important network security issues. More and more malicious software is rampant on the network, which is Life, study and work have brought a lot of hidden dangers, and major security vendors are seeking better ways to detect malicious files.
一些情况中的恶意样本动态行为分析,是将恶意样本运行于真实的计算机运行环境,通过分析日志信息来进行恶意样本判别的一种分析方法。但是当前绝大多数恶意软件、病毒或后门都具有时间维度潜伏特性,即感染宿主机器之后不会立即进行恶意操作,而是先潜伏起来运行一段时间后,才会执行恶意行为,动态行为分析的分析时间是固定的,而且相对较短,这样就很难捕获恶意样本的恶意行为,除非消耗大量的无用等待时间,以降低效率的方式增加分析正确率,即使这样,一些有长期潜伏行为的恶意样本,因为不可能无限期等待下去,是无法获取其恶意行为的。In some cases, the dynamic behavior analysis of malicious samples is an analysis method that runs malicious samples in a real computer operating environment and analyzes the log information to identify malicious samples. However, most of the current malware, viruses or backdoors have the latent feature of time dimension, that is, they will not perform malicious operations immediately after infecting the host machine, but will be latent to run for a period of time before performing malicious behavior, dynamic behavior analysis The analysis time is fixed and relatively short, which makes it difficult to capture malicious behaviors of malicious samples, unless a large amount of useless waiting time is consumed to increase the accuracy of analysis in a way that reduces efficiency. Even so, some malicious people with long-term latent behaviors The sample, because it is impossible to wait indefinitely, cannot obtain its malicious behavior.
发明内容Summary of the invention
本公开的主要目的在于提供一种恶意样本检测方法、装置、系统及存储介质,旨在通过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。The main purpose of the present disclosure is to provide a malicious sample detection method, device, system, and storage medium, which are designed to quickly trigger the time latent behavior of malicious samples through time shifting, and improve the efficiency and success rate of malicious sample dynamic behavior analysis.
为实现上述目的,本公开提供一种恶意样本检测方法,所述恶意样本检测方法应用于虚拟机,所述恶意样本检测方法包括以下步骤:在启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析在所述时间变速模式下的记录日志是否存在恶意行为;若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。In order to achieve the above object, the present disclosure provides a malicious sample detection method, which is applied to a virtual machine. The malicious sample detection method includes the following steps: when the time-variable mode of the virtual machine is started, the measured object is obtained A log of the sample in the time-variable mode of the virtual machine; analyze whether the log in the time-variable mode has malicious behavior; if the log has malicious behavior, then judge according to the type of the time-variable mode The type of latent behavior in the time dimension of the tested sample.
本公开还提供一种恶意样本检测装置,该恶意样本检测装置包括获取模块、分析模块 和判定模块,其中:获取模块10,启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析模块20,分析在所述时间变速模式下的记录日志是否存在恶意行为;判定模块30,若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。The present disclosure also provides a malicious sample detection device. The malicious sample detection device includes an acquisition module, an analysis module, and a determination module, wherein: the acquisition module 10 activates the time-variable mode of the virtual machine and acquires the tested sample in the virtual The log in the time-variable mode of the computer; the analysis module 20 analyzes whether the log in the time-variable mode has malicious behavior; the determination module 30, if the log has malicious behavior, according to the time-variable mode The type determines the type of latent behavior in the time dimension of the tested sample.
此外,为实现上述目的,本公开还提供一种恶意样本检测系统,所述恶意样本检测系统包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的恶意样本检测程序,所述恶意样本检测程序被所述处理器执行时实现如上所述恶意样本检测方法的步骤。In addition, in order to achieve the above object, the present disclosure also provides a malicious sample detection system. The malicious sample detection system includes: a memory, a processor, and a malicious sample detection stored on the memory and operable on the processor Program, when the malicious sample detection program is executed by the processor, the steps of the malicious sample detection method described above are implemented.
此外,为实现上述目的,本公开还提供一种存储介质,所述存储介质上存储有恶意样本检测程序,所述恶意样本检测程序被处理器执行时实现如上所述的恶意样本检测方法的步骤。In addition, to achieve the above object, the present disclosure also provides a storage medium on which a malicious sample detection program is stored, and when the malicious sample detection program is executed by the processor, the steps of the malicious sample detection method described above are implemented .
附图说明BRIEF DESCRIPTION
图1是本公开实施例方案涉及的硬件运行环境的终端结构示意图;FIG. 1 is a schematic diagram of a terminal structure of a hardware operating environment involved in an embodiment of the present disclosure;
图2为本公开恶意样本检测方法第一实施例的流程示意图;2 is a schematic flowchart of a first embodiment of a malicious sample detection method of the present disclosure;
图3为本公开恶意样本检测方法组合方案时间线示意图;3 is a schematic diagram of a timeline of a combined scheme for detecting a malicious sample of the present disclosure;
图4为本公开的恶意样本检测装置功能模块示意图。4 is a schematic diagram of functional modules of a malicious sample detection device of the present disclosure.
本公开目的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional characteristics and advantages of the present disclosure will be further described in conjunction with the embodiments and with reference to the drawings.
具体实施方式detailed description
应当理解,此处所描述的实施例仅仅用以解释本公开,并不用于限定本公开。It should be understood that the embodiments described herein are only used to explain the present disclosure and are not intended to limit the present disclosure.
本公开实施例的主要解决方案是:启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析在所述时间变速模式下的记录日志是否存在恶意行为;若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。本公开实现了通过加快虚拟机的系统时间流逝,通过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。The main solution of the embodiments of the present disclosure is to: start the time-variable mode of the virtual machine, obtain the log of the tested sample in the time-variable mode of the virtual machine; analyze whether the record log in the time-variable mode There is malicious behavior; if there is malicious behavior in the recording log, the type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode. The present disclosure realizes that by accelerating the system time lapse of the virtual machine and quickly triggering the time latent behavior of the malicious sample through the time speed change, the efficiency and success rate of the dynamic behavior analysis of the malicious sample are improved.
由于一些情况中的恶意样本动态行为分析,是将恶意样本运行于真实的计算机运行环境,通过分析日志信息来进行恶意样本判别的一种分析方法。但是当前绝大多数恶意软件、病毒或后门都具有时间维度潜伏特性,即感染宿主机器之后不会立即进行恶意操作,而是先潜伏起来运行一段时间后,才会执行恶意行为,动态行为分析的分析时间是固定的,而且相对较短,这样就很难捕获恶意样本的恶意行为,除非消耗大量的无用等待时间,以降低效率的方式增加分析正确率,即使这样,像一些有长期潜伏行为的恶意样本,因为不可 能无限期等等下去,是无法获取其恶意行为的。Due to the dynamic behavior analysis of malicious samples in some cases, it is an analysis method that runs malicious samples in a real computer operating environment and analyzes the log information to identify malicious samples. However, most of the current malware, viruses or backdoors have the latent feature of time dimension, that is, they will not perform malicious operations immediately after infecting the host machine, but will be latent to run for a period of time before performing malicious behavior, dynamic behavior analysis The analysis time is fixed and relatively short, which makes it difficult to capture malicious behaviors of malicious samples, unless a large amount of useless waiting time is consumed to increase the accuracy of analysis in a way that reduces efficiency. Even so, like some with long-term latent behaviors A malicious sample, because it is impossible to wait indefinitely, cannot obtain its malicious behavior.
本公开实施例提出一种解决方案,可以实现加快虚拟机的系统时间流逝,通过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。An embodiment of the present disclosure proposes a solution that can accelerate the system time lapse of a virtual machine, quickly trigger the time latent behavior of malicious samples through time shifting, and improve the efficiency and success rate of malicious sample dynamic behavior analysis.
如图1所示,图1是本公开实施例方案涉及的硬件运行环境的终端结构示意图。As shown in FIG. 1, FIG. 1 is a schematic diagram of a terminal structure of a hardware operating environment involved in a solution of an embodiment of the present disclosure.
本公开实施例终端为恶意样本检测装置。The terminal of the embodiment of the present disclosure is a malicious sample detection device.
如图1所示,该终端可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储设备。As shown in FIG. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002. Among them, the communication bus 1002 is used to implement connection communication between these components. The user interface 1003 may include a display (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as a disk memory. The memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
在一个实施例中,终端还可以包括摄像头、RF(Radio Frequency,射频)电路,传感器、音频电路、WiFi模块等等。其中,传感器比如光传感器、运动传感器以及其他传感器。在一个实施例中,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示屏的亮度,接近传感器可在终端设备移动到耳边时,关闭显示屏和/或背光。当然,终端还可配置陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。In one embodiment, the terminal may further include a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and so on. Among them, sensors such as light sensors, motion sensors and other sensors. In one embodiment, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display screen according to the brightness of the ambient light, and the proximity sensor may turn off the display screen when the terminal device moves to the ear And/or backlight. Of course, the terminal can also be configured with other sensors such as gyroscopes, barometers, hygrometers, thermometers, and infrared sensors, which will not be repeated here.
本领域技术人员可以理解,图1中示出的终端结构并不构成对终端的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。A person skilled in the art may understand that the terminal structure shown in FIG. 1 does not constitute a limitation on the terminal, and may include more or less components than those illustrated, or combine certain components, or have different component arrangements.
如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作终端、网络通信模块、用户接口模块以及恶意样本检测程序。As shown in FIG. 1, the memory 1005 as a computer storage medium may include an operation terminal, a network communication module, a user interface module, and a malicious sample detection program.
在图1所示的终端中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的恶意样本检测程序,并执行以下操作:启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析在所述时间变速模式下的记录日志是否存在恶意行为;若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。In the terminal shown in FIG. 1, the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the user interface 1003 is mainly used to connect to the client (user) and perform data communication with the client; and the processor 1001 can be used to call a malicious sample detection program stored in the memory 1005 and perform the following operations: start the time-variable mode of the virtual machine, obtain a log of the tested sample in the time-variable mode of the virtual machine; analyze in Whether there is malicious behavior in the recording log in the time variable speed mode; if there is malicious behavior in the recording log, the latent behavior type of the time dimension of the tested sample is determined according to the type of the time variable speed mode.
在一个实施例中,处理器1001可以调用存储器1005中存储的恶意样本检测程序,还执行以下操作:设置线性变速模式的第一起始时刻、第一结束时刻和线性变速倍数;在所述第一起始时刻启动所述线性变速模式;以预设正常速率的线性变速倍数的运行速率运行所述虚拟机至所述第一结束时刻;获取所述被测样本在所述第一起始时刻与所述第一结束时刻之间的记录日志,作为被测样本在所述线性变速模式下的记录日志。In one embodiment, the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: set the first start time, the first end time, and the linear speed multiple of the linear shift mode; after the first Start the linear variable speed mode at the beginning; run the virtual machine at a running speed of a preset normal speed linear speed multiple to the first end time; obtain the tested sample at the first start time and the The record log between the first end moments is used as the record log of the tested sample in the linear shift mode.
在一个实施例中,处理器1001可以调用存储器1005中存储的恶意样本检测程序,还执行以下操作:设置跳变变速模式的第二起始时刻、第二结束时刻、跳过时间和第三结束时刻;在所述第二起始时刻启动所述跳变变速模式;控制所述虚拟机跳过所述跳过时间运行至所述第二结束时刻;在所述第二结束时刻,控制所述虚拟机以预设正常速率运行至第三结束时刻;获取所述被测样本在所述第二结束时刻和所述第三结束时刻之间的记录日志,作为被测样本在所述跳变变速模式下的记录日志。In one embodiment, the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: set the second start time, the second end time, the skip time, and the third end of the shift speed change mode Time; start the jump speed change mode at the second start time; control the virtual machine to run over the skip time to the second end time; at the second end time, control the The virtual machine runs at a preset normal rate until the third end time; obtain a log of the tested sample between the second end time and the third end time, as the tested sample changes in the transition Logging in mode.
在一个实施例中,处理器1001可以调用存储器1005中存储的恶意样本检测程序,还执行以下操作:以预设正常速率运行所述虚拟机,获取所述被测样本的记录日志;分析在预设正常速率下的记录日志是否存在恶意行为;若在所述预设正常速率下的记录日志存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为;若不存在,则执行步骤:启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志。In one embodiment, the processor 1001 may call the malicious sample detection program stored in the memory 1005, and also perform the following operations: run the virtual machine at a preset normal rate, obtain a log of the tested sample; Whether the log at the normal rate has malicious behavior; if the log at the preset normal rate has malicious behavior, it is determined that the sample under test has no latent behavior in the time dimension; if it does not exist, the steps are executed: Start the time varying mode of the virtual machine, and obtain a log of the tested sample in the time varying mode of the virtual machine.
在一个实施例中,处理器1001可以调用存储器1005中存储的恶意样本检测程序,还执行以下操作:若所述记录日志存在恶意行为,则获取所述时间变速模式的类型;根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。In one embodiment, the processor 1001 may call a malicious sample detection program stored in the memory 1005, and further perform the following operations: if the recording log exhibits malicious behavior, then obtain the type of the time shift mode; shift according to the time The type of pattern determines the type of latent behavior in the time dimension of the tested sample.
在一个实施例中,处理器1001可以调用存储器1005中存储的恶意样本检测程序,还执行以下操作:若所述记录日志不存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为。In one embodiment, the processor 1001 may call a malicious sample detection program stored in the memory 1005, and further perform the following operation: if the recorded log does not have malicious behavior, it is determined that the measured sample does not have latent behavior in the time dimension.
本公开提供的技术方案,所述恶意样本检测终端通过处理器1001调用存储器1005中存储的恶意样本检测程序,以实现步骤启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析在所述时间变速模式下的记录日志是否存在恶意行为;若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。本公开通过加快虚拟机的系统时间流逝,实现了通过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。According to the technical solution provided by the present disclosure, the malicious sample detection terminal calls the malicious sample detection program stored in the memory 1005 through the processor 1001 to implement the step of starting the time-varying mode of the virtual machine, and obtaining the tested sample in the virtual machine The log in the time-variable mode; analyze whether the log in the time-variable mode has malicious behavior; if the log has malicious behavior, determine the test sample according to the type of the time-variable mode Types of latent behavior in the time dimension. By speeding up the system time lapse of the virtual machine, the present disclosure realizes the time latent behavior of quickly triggering malicious samples through time varying, and improves the efficiency and success rate of malicious sample dynamic behavior analysis.
基于上述硬件结构,提出本公开恶意样本检测方法实施例。Based on the above hardware structure, an embodiment of the disclosed malicious sample detection method is proposed.
参照图2,图2为本公开恶意样本检测方法第一实施例的流程示意图。Referring to FIG. 2, FIG. 2 is a schematic flowchart of a first embodiment of a malicious sample detection method of the present disclosure.
如图2所示,本公开第一实施例提供一种恶意样本检测方法,所述恶意样本检测方法应用于虚拟机,所述恶意样本检测方法包括以下步骤:As shown in FIG. 2, the first embodiment of the present disclosure provides a malicious sample detection method. The malicious sample detection method is applied to a virtual machine. The malicious sample detection method includes the following steps:
步骤S1,启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;Step S1, start the time variable mode of the virtual machine, and obtain a log of the tested sample in the time variable mode of the virtual machine;
可以理解的是,本公开提出的恶意样本检测方法,适用于数据处理技术领域。It can be understood that the malicious sample detection method proposed in the present disclosure is applicable to the technical field of data processing.
在本实施例中,在宿主主机中安装一个能够运行虚拟机的操作系统,然后在虚拟机上安装客户端系统,然后宿主机通过共享文件夹的方式将被测样本传送到虚拟机中的客户端 系统。其中,操作系统只要是虚拟机支持的操作系统即可达到变速效果,例如windows,linux等均可。In this embodiment, an operating system capable of running a virtual machine is installed in the host host, and then a client system is installed on the virtual machine, and then the host machine transmits the tested sample to the client in the virtual machine through a shared folder端系统。 End system. Among them, as long as the operating system is an operating system supported by the virtual machine, the speed change effect can be achieved, such as windows, linux, etc.
本实施例中的时间变速模式包括线性变速模式和跳变变速模式。The time shift mode in this embodiment includes a linear shift mode and a jump shift mode.
在一个实施例中,线性变速是指将虚拟机中的系统时间运行速率变快或者变慢,主要通过加快虚拟机中的系统时间流速来加速触发计时触发型恶意样本的恶意行为。当时间变速模式为线性变速模式时,系统时间流速变为预设正常速率的N倍,同时,处于虚拟机系统中的被测样本的运行速率也变为其在真实世界的运行速率的N倍,若该被测样本为计时触发型恶意样本,则其在当前虚拟机中的恶意行为会被提前触发释放,通过记录分析该被测样本在变速期间的记录日志,从而捕获到恶意行为。In one embodiment, linear variable speed refers to increasing or decreasing the system time running rate in the virtual machine, mainly by accelerating the system time flow rate in the virtual machine to accelerate the malicious behavior of triggering the timing-triggered malicious sample. When the time variable speed mode is the linear variable speed mode, the system time flow rate becomes N times the preset normal rate, and at the same time, the running speed of the tested sample in the virtual machine system also becomes N times its running speed in the real world If the tested sample is a time-triggered malicious sample, its malicious behavior in the current virtual machine will be triggered and released in advance, and the malicious behavior will be captured by analyzing the log of the tested sample during the speed change.
跳变变速是指将虚拟机中的系统时间短时间内跳至另一未来时间点,主要用来加速触发定时触发型恶意样本的恶意行为。当时间变速模式为跳变变速模式时,系统时间在短时间内由当前时间点跳至另一未来时间点,若被测样本为定时触发型恶意样本,则当其判定当前时间点等于或者大于该恶意样本的触发时刻时,触发定时触发型恶意样本的潜伏条件,释放恶意行为,通过记录分析该被测样本在跳变变速后的记录日志,从而捕获到恶意行为。Jump speed change refers to jumping the system time in a virtual machine to another future time point in a short time, and is mainly used to accelerate the malicious behavior of triggering a time-triggered malicious sample. When the time variable speed mode is the jump variable speed mode, the system time jumps from the current time point to another future time point in a short time. If the measured sample is a time-triggered malicious sample, when it is determined that the current time point is equal to or greater than At the triggering moment of the malicious sample, the latent condition of the regularly-triggered malicious sample is triggered to release the malicious behavior, and the recorded log of the tested sample after jumping and changing speed is recorded and analyzed, thereby capturing the malicious behavior.
以上两种时间变速模式可以单独实施,也可以组合在一起实施,本实施例的优选方案为以上两种时间变速模式组合实施。The above two time shift modes can be implemented separately or combined together. The preferred solution of this embodiment is to implement the above two time shift modes in combination.
其中,以上两种改变虚拟机时间运行频率或者步进数值的方式,因虚拟机的软件类型而异。若虚拟机的软件类型为开源型,例如QEMU虚拟机,可以通过修改开源代码中提供系统时钟的代码模块来实现变速;若虚拟机的软件类型为闭源类型,例如vmware,可以通过修改config.ini配置文件的参数host.cpukHz来达到变速的目的;其他类型没有相关配置文件的虚拟机,可以通过逆向工程的修改系统时钟的时钟频率,达到变速的目的。Among them, the above two ways to change the time running frequency or step value of the virtual machine vary according to the software type of the virtual machine. If the software type of the virtual machine is open source, such as the QEMU virtual machine, you can modify the code module that provides the system clock in the open source code to achieve variable speed; if the software type of the virtual machine is closed source, such as vmware, you can modify config. The parameter host.cpukHz of the ini configuration file achieves the purpose of variable speed; other types of virtual machines without related configuration files can modify the clock frequency of the system clock through reverse engineering to achieve the purpose of variable speed.
步骤S2,分析在所述时间变速模式下的记录日志是否存在恶意行为;Step S2: Analyze whether there is malicious behavior in the recording log under the time variable mode;
记录日志包括但不限于被测样本运行过程中API的调用记录和调用参数,网络访问记录,恶意样本解析出来的字符串、域名,运行截图、读写的问题、释放的文件、网络行为等,通过分析上述记录日志中的内容,结合专业的恶意样本恶意行为判断规则,可以进行恶意行为判定。Record logs include but are not limited to API call records and call parameters during the running of the tested samples, network access records, strings parsed by malicious samples, domain names, running screenshots, read and write problems, released files, network behaviors, etc. By analyzing the contents of the above log, combined with professional malicious sample malicious behavior judgment rules, malicious behavior judgment can be made.
步骤S3,若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。In step S3, if malicious behavior exists in the recording log, the type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode.
通过分析记录日志中的内容,结合专业的恶意样本恶意行为判断规则,若检测分析发现时间变速模式下的记录日志中存在恶意行为,则可以根据恶意行为发生时所处的时间变速模式类型判断该被测样本的在时间维度潜伏行为类型。By analyzing the contents of the log and combining with professional malicious sample malicious behavior judgment rules, if the detection and analysis finds that there is malicious behavior in the log in the time variable mode, you can judge the type according to the type of time variable mode in which the malicious behavior occurred The type of latent behavior of the tested sample in the time dimension.
通过本实施例提出的恶意样本检测方法,实现了通过加快虚拟机的系统时间流逝,通 过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。Through the malicious sample detection method proposed in this embodiment, the time latent behavior of the malicious sample is quickly triggered by speeding up the system time lapse of the virtual machine through time shifting, and the efficiency and success rate of malicious sample dynamic behavior analysis are improved.
在一个实施例中,基于上述图2所示的第一实施例,提出本公开恶意样本检测方法第二实施例,在本实施例中,上述步骤S1之前还包括:In one embodiment, based on the first embodiment shown in FIG. 2 above, a second embodiment of the malicious sample detection method of the present disclosure is proposed. In this embodiment, the foregoing step S1 further includes:
步骤S101,以预设正常速率运行所述虚拟机,实时获取所述被测样本的记录日志;Step S101: Run the virtual machine at a preset normal rate, and obtain a log of the tested sample in real time;
在本实施例中,在启动虚拟机的时间变速模式之前,可以先以与真实世界时间流逝速度同步的预设正常速率运行虚拟机系统,并实时获取被测样本在预设正常速率下的记录日志。In this embodiment, before starting the time varying mode of the virtual machine, the virtual machine system can be run at a preset normal rate synchronized with the real-world time lapse speed, and the record of the tested sample at the preset normal rate can be obtained in real time Log.
步骤S102,分析在预设正常速率下的记录日志是否存在恶意行为;Step S102: Analyze whether there is malicious behavior in the recording log at a preset normal rate;
对被测样本在预设正常速率下的记录日志进行分析,其中,记录日志中记录有被测样本运行过程中调用的API及其传入、返回参数、读写的问题、本释放的文件、网络行为,通过分析上述记录日志中的内容,结合专业的恶意样本恶意行为判断规则,可以对被测样本的记录日志进行恶意行为判定,从而判定被测样本在预设正常速率下是否存在恶意行为。Analyze the recording log of the tested sample at the preset normal rate, where the recording log records the API called during the running of the tested sample and its incoming, return parameters, reading and writing problems, the released files, Network behavior, by analyzing the contents of the above log records, combined with professional malicious sample malicious behavior judgment rules, can determine the malicious behavior of the recorded log of the tested sample, thereby determining whether the tested sample has malicious behavior at a preset normal rate .
步骤S103,若在所述预设正常速率下的记录日志存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为;Step S103, if there is malicious behavior in the recording log at the preset normal rate, it is determined that there is no latent behavior in the time dimension in the tested sample;
若不存在,则执行步骤:启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志。If it does not exist, the step is executed: starting the time-variable mode of the virtual machine, and obtaining a log of the tested sample in the time-variable mode of the virtual machine.
若通过分析发现被测样本在预设正常速率下的记录日志中存在恶意行为,则说明该被测样本为恶意样本,且由于该恶意样本在正常时间流速下即可被触发,则其不存在时间维度潜伏行为,故判定该被测样本为不存在时间维度潜伏行为的恶意样本,同时,若判定该被测样本为不存在时间维度潜伏行为的恶意样本,则可以在预设检测停止时刻停止此次检测。If, through analysis, it is found that the tested sample has malicious behavior in the recording log at a preset normal rate, it means that the tested sample is a malicious sample, and since the malicious sample can be triggered at a normal time flow rate, it does not exist The latent behavior in the time dimension, so the tested sample is determined to be a malicious sample without latent behavior in the time dimension. At the same time, if the tested sample is determined to be a malicious sample without latent behavior in the time dimension, it can be stopped at the preset detection stop time This test.
若通过分析发现被测样本在预设正常速率下的记录日志中不存在恶意行为,则说明该被测样本可能是非恶意样本,也有可能是有时间维度潜伏条件的恶意样本,要对其进行判定,需要进行进一步地检测,故执行步骤S1。If it is found through analysis that there is no malicious behavior in the log of the tested sample at the preset normal rate, it means that the tested sample may be a non-malicious sample or a malicious sample with latent conditions in the time dimension. , Further detection is required, so step S1 is executed.
通过本实施例提出的恶意样本检测方法,实现了通过以预设正常速率运行被测样本,记录并分析被测样本在以预设正常速率运行过程中的记录日志,从而将不存在时间维度潜伏行为的恶意样本检测出来,避免使用后续的变速步骤,达到提高分析效率的效果。The malicious sample detection method proposed in this embodiment realizes that by running the tested sample at a preset normal rate, recording and analyzing the log of the tested sample in the process of running at the preset normal rate, so that there is no latent time dimension Malicious samples of behavior are detected, avoiding the use of subsequent variable speed steps, to achieve the effect of improving analysis efficiency.
在一个实施例中,基于上述图2所示的第一实施例,提出本公开恶意样本检测方法第三实施例,在本实施例中,所述时间变速模式包括线性变速模式,上述步骤S1之前还包 括:In one embodiment, based on the first embodiment shown in FIG. 2 above, a third embodiment of the malicious sample detection method of the present disclosure is proposed. In this embodiment, the time shift mode includes a linear shift mode, before step S1 above Also includes:
步骤S101,设置线性变速模式的第一起始时刻、第一结束时刻和线性变速倍数;Step S101: Set the first start time, the first end time and the linear speed multiple of the linear shift mode;
若要在虚拟机系统中进行系统时间变速,先要设置线性变速模式的起始运行时刻,即第一起始时刻TLstart,线性变速模式的结束运行时刻,即第一结束时刻TLstop,虚拟机系统时间运行速率相对于真实世界时间流逝速度的倍数,即线性变速倍数N。To change the system time in the virtual machine system, you must first set the starting operation time of the linear transmission mode, that is, the first start time TLstart, the ending operation time of the linear transmission mode, that is, the first end time TLstop, the virtual machine system time The multiple of the running speed relative to the real-world time lapse speed, that is, the linear shift multiple N.
其中,TLstart和TLstop都是真实世界时间,在经过线性变速后,虚拟机系统在线性变速模式过程中经历的时间为N*(TLstart-TLstop),与所述第一结束时刻对应的虚拟机系统时刻=TLstart+N*(TLstop-TLstart)。Among them, TLstart and TLstop are real-world time. After the linear speed change, the time that the virtual machine system experiences during the linear speed change mode is N*(TLstart-TLstop), the virtual machine system corresponding to the first end time Time=TLstart+N*(TLstop-TLstart).
N值为正浮点数,理论取值范围为0~+∞。N value is a positive floating point number, the theoretical value range is 0 ~ +∞.
当N等于0时,虚拟机系统内的时间不再增加,虚拟机系统运行停止,系统时间停止;当N大于0,且N小于1时,虚拟机系统运行变慢,虚拟机系统时间相对真实世界时间变慢;当N等于1时,虚拟机系统运行正常,虚拟机系统时间等于真实世界时间;当N大于1时,虚拟机系统运行变快,虚拟机系统时间相对真实世界时间变快。When N is equal to 0, the time in the virtual machine system no longer increases, the operation of the virtual machine system stops, and the system time stops; when N is greater than 0 and N is less than 1, the virtual machine system runs slower, and the virtual machine system time is relatively real World time becomes slow; when N equals 1, the virtual machine system runs normally, and the virtual machine system time equals the real world time; when N is greater than 1, the virtual machine system runs faster, and the virtual machine system time becomes faster relative to the real world time.
本实施例中线性变速模式优选N大于1。In this embodiment, the linear shift mode is preferably N greater than 1.
在一个实施例中,上述步骤S1包括:步骤S11,在所述第一起始时刻启动所述线性变速模式;步骤S12,以预设正常速率的线性变速倍数的运行速率运行所述虚拟机至所述第一结束时刻;步骤S13,实时获取所述被测样本在所述第一起始时刻与所述第一结束时刻之间的记录日志,作为被测样本在所述线性变速模式下的记录日志。In one embodiment, the above step S1 includes: step S11, starting the linear speed change mode at the first starting time; step S12, running the virtual machine to the virtual machine at a running speed of a preset normal speed linear speed multiple The first end time; step S13, obtaining in real time a recording log of the tested sample between the first starting time and the first ending time, as a recording log of the tested sample in the linear shift mode .
在第一起始时刻TLstart自动触发运行线性变速模式,以真实世界时间流逝速度的N倍的运行速率运行虚拟机至TLstop,获取被测样本在线性变速过程中的记录日志,即TLstart至TLstop之间的记录日志,作为被测样本在线性变速模式下的记录日志。At the first starting time, TLstart automatically triggers the operation of the linear variable speed mode, runs the virtual machine to TLstop at an operating rate of N times the real-world time lapse speed, and obtains the log of the tested sample during the linear speed change, that is, between TLstart and TLstop The recorded log is used as the recorded log of the tested sample in the linear variable speed mode.
通过本实施例提出的恶意样本检测方法,实现了在虚拟机系统中变速运行被测样本,记录并分析被测样本在以变速运行过程中的记录日志,从而为后续恶意行为分析提供支持。Through the malicious sample detection method proposed in this embodiment, the tested sample is run at a variable speed in the virtual machine system, and the log of the tested sample during the running at a variable speed is recorded and analyzed, thereby providing support for subsequent malicious behavior analysis.
在一个实施例中,基于上述图2所示的第一实施例,提出本公开恶意样本检测方法第四实施例,在本实施例中,所述时间变速模式包括跳变变速模式,上述步骤S1之前还包括:In one embodiment, based on the first embodiment shown in FIG. 2 above, a fourth embodiment of the malicious sample detection method of the present disclosure is proposed. In this embodiment, the time shift mode includes a jump shift mode, and the above step S1 It also includes:
步骤S101,设置跳变变速模式的第二起始时刻、第二结束时刻、跳过时间和第三结束时刻;Step S101: Set the second start time, the second end time, the skip time, and the third end time of the jump speed change mode;
若要在虚拟机系统中进行系统时间变速,先要设置跳变变速模式的起始运行时刻,即第二起始时刻TJstart,跳变变速模式的结束运行时刻,即第二结束时刻TJstop,虚拟机系统时间跳过的时间,即跳过时间△T,以及被测样本在跳变变速模式后进行日志信息记录的 结束时刻,即第三结束时刻Tstop,由第二起始时刻和跳过时间得到跳跃落点时刻=第一起始时刻TJstart+跳过时间△T。To change the system time in the virtual machine system, you must first set the initial running time of the jump speed mode, that is, the second start time TJstart, the end running time of the jump speed mode, that is, the second end time TJstop, virtual The time skipped by the machine system time, namely the skip time △T, and the end time of the tested sample in the log information recording after the jump speed change mode, that is, the third end time Tstop, which is composed of the second start time and the skip time Obtain the jump landing time = the first starting time TJstart + skip time ΔT.
其中,TJstart、TJstop和Tstop都是真实世界时间,跳跃落点时刻为虚拟机系统时间经过跳跃后到达的虚拟系统时间点。Among them, TJstart, TJstop, and Tstop are real-world time, and the jump landing point is the virtual system time point after the virtual machine system time passes the jump.
△T值为正浮点数,理论取值范围为0~+∞。△T is a positive floating-point number, and the theoretical value range is 0 ~ +∞.
在一个实施例中,上述步骤S1包括:步骤S14,在所述第二起始时刻启动所述跳变变速模式;步骤S15,控制所述虚拟机跳过所述跳过时间运行至所述第二结束时刻;步骤S16,在所述第二结束时刻,控制所述虚拟机以预设正常速率运行至第三结束时刻;步骤S17,获取所述被测样本在所述第二结束时刻和所述第三结束时刻之间的记录日志,作为被测样本在所述跳变变速模式下的记录日志。In one embodiment, the above step S1 includes: step S14, starting the jump speed change mode at the second starting moment; step S15, controlling the virtual machine to run to the Second end time; Step S16, at the second end time, control the virtual machine to run at a preset normal rate to the third end time; Step S17, obtain the tested sample at the second end time and all The record log between the third end times is used as the record log of the tested sample in the jump speed change mode.
在第二起始时刻TJstart自动触发运行跳变变速模式,控制虚拟机在第二结束时刻TJstop跳跃至跳跃落点时刻,在TJstop时控制虚拟机以预设正常速率运行至第三结束时刻Tstop,获取被测样本在跳变变速过程后的记录日志,即TJstart至Tstop之间的记录日志,作为被测样本在跳变变速模式下的记录日志。之所以不对被测样本在跳变变速过程(即TJstart至TJstop)中的动态行为进行记录和分析,是因为虚拟机系统跳跃过的时间可能非常长,若要对被测样本在这个过程中的动态行为进行记录和分析,会消耗大量的资源,与本公开的初衷相悖,因此只对被测样本在跳变变速过程后的记录日志进行记录和获取。At the second start time TJstart automatically triggers the running jump speed change mode, controls the virtual machine to jump from the second end time TJstop to the jump landing point time, and at TJstop controls the virtual machine to run at a preset normal rate to the third end time Tstop, Obtain the test log of the tested sample after the jump and shift process, that is, the log between TJstart and Tstop, as the test log in the jump and shift mode. The reason for not recording and analyzing the dynamic behavior of the tested sample during the jump speed change process (ie, TJstart to TJstop) is because the time that the virtual machine system has jumped may be very long. If you want to test the sample during this process, The recording and analysis of dynamic behavior consumes a lot of resources, which is contrary to the original intention of the present disclosure. Therefore, only the recording log of the tested sample after the jump and variable speed process is recorded and obtained.
其中,与所述第二结束时刻对应的虚拟机系统时刻=第一起始时刻+跳过时间,与所述第三结束时刻对应的虚拟机系统时刻=第一起始时刻+跳过时间+(第三结束时刻-第二结束时刻)。Wherein, the virtual machine system time corresponding to the second end time = first start time + skip time, and the virtual machine system time corresponding to the third end time = first start time + skip time + ( Three end moments-second end moment).
通过本实施例提出的恶意样本检测方法,实现了在虚拟机系统中变速运行被测样本,记录并分析被测样本在跳变变速运行过程后的记录日志,从而为后续恶意行为分析提供支持。The malicious sample detection method provided in this embodiment implements variable-speed running of the tested sample in the virtual machine system, and records and analyzes the log of the tested sample after the transition of the variable-speed running process, thereby providing support for subsequent malicious behavior analysis.
第三实施例和第四实施例可以单独实施,即在虚拟机系统中单独运行线性变速模式或者单独运行跳变变速模式;两个实施例也可以组合起来实施,例如,如图3所示,在虚拟机系统中可以先运行线性变速模式,若通过线性变速模式没有检测出被测样本有恶意行为,则接着运行跳变变速模式至TJstop,再以预设正常速率运行虚拟机系统至第三结束时刻Tstop,此时无论是否检测到被测样本的恶意行为,都停止此次检测,反馈检测分析报告,避免资源浪费。The third embodiment and the fourth embodiment can be implemented separately, that is, in the virtual machine system, the linear speed change mode or the jump speed change mode is run separately; the two embodiments can also be implemented in combination, for example, as shown in FIG. 3, In the virtual machine system, you can run the linear variable speed mode first. If no malicious behavior is detected in the tested sample through the linear variable speed mode, then run the variable speed mode to TJstop, and then run the virtual machine system to the third normal speed At the end time Tstop, no matter whether the malicious behavior of the tested sample is detected at this time, the detection is stopped, and the detection analysis report is fed back to avoid waste of resources.
另外,无论是第三实施例单独实施和第四实施例单独实施还是二者组合实施,在运行线性变速模式、跳变变速模式前后都可以穿插以预设正常速率运行的过程,如何穿插实施,在此不作限定。In addition, regardless of whether the third embodiment is implemented separately and the fourth embodiment is implemented separately or a combination of the two, the process of running at the preset normal rate can be interspersed before and after running the linear shift mode and the jump shift mode. Not limited here.
在一个实施例中,基于上述图2所示的第一实施例,提出本公开恶意样本检测方法第五实施例,在本实施例中,上述步骤S2之后还包括:In one embodiment, based on the first embodiment shown in FIG. 2 above, a fifth embodiment of the malicious sample detection method of the present disclosure is proposed. In this embodiment, the above step S2 further includes:
步骤S21,若所述记录日志不存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为。Step S21: If there is no malicious behavior in the recording log, it is determined that there is no latent behavior in the time dimension in the tested sample.
在虚拟机系统中单独运行线性变速模式或者单独运行跳变变速模式,也可以两个实施例组合起来实施,若经过以上各种模式后,都没有检测出被测样本有恶意行为,则判定所述被测样本大概率不存在时间维度潜伏行为。In the virtual machine system, the linear variable speed mode or the single jump variable speed mode can be run separately, or a combination of the two embodiments can be implemented. If after the above various modes, no malicious behavior of the tested sample is detected, the judgment is determined It is stated that there is no probability of latent behavior in the time dimension of the tested sample.
上述步骤S3包括:步骤S31,若所述记录日志存在恶意行为,则获取所述时间变速模式的类型;步骤S32,根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。The above step S3 includes: step S31, if there is malicious behavior in the recording log, the type of the time variable speed mode is acquired; step S32, the type of the time dimension latent behavior of the tested sample is determined according to the type of the time variable speed mode .
在一个实施例中,若记录日志存在恶意行为,首先获取虚拟机系统中时间变速模式的类型,再根据时间变速模式的类型判断被测样本的时间维度潜伏行为类型是计时触发型还是定时触发型。In one embodiment, if there is malicious behavior in the log, first obtain the type of the time variable mode in the virtual machine system, and then determine whether the type of latent behavior in the time dimension of the sample under test is time-triggered or time-triggered according to the type of time-variable mode .
通过本实施例提出的恶意样本检测方法,实现了定性的判断恶意样本的时间维度潜伏条件类型,达到提高分析效率的效果。Through the malicious sample detection method proposed in this embodiment, a qualitative determination of the latent condition type of the time dimension of the malicious sample is achieved, and the effect of improving the analysis efficiency is achieved.
通过本公开实施例提出的技术方案,解决了一些情况中恶意样本动态行为分析,是将恶意样本运行于真实的计算机运行环境,通过分析日志信息来进行恶意样本判别的一种分析方法。但是当前绝大多数恶意软件、病毒或后门都具有时间维度潜伏特性,即感染宿主机器之后不会立即进行恶意操作,而是先潜伏起来运行一段时间后,才会执行恶意行为,动态行为分析的分析时间是固定的,而且相对较短,这样就很难捕获恶意样本的恶意行为,除非消耗大量的无用等待时间,以降低效率的方式增加分析正确率,即使这样,像一些有长期潜伏行为的恶意样本,因为不可能无限期等等下去,是无法获取其恶意行为的。The technical solution proposed by the embodiments of the present disclosure solves the dynamic behavior analysis of malicious samples in some cases. It is an analysis method that runs malicious samples in a real computer operating environment and analyzes log information to identify malicious samples. However, most of the current malware, viruses or backdoors have the latent feature of time dimension, that is, they will not perform malicious operations immediately after infecting the host machine, but will be latent to run for a period of time before performing malicious behavior, dynamic behavior analysis The analysis time is fixed and relatively short, which makes it difficult to capture malicious behaviors of malicious samples, unless a large amount of useless waiting time is consumed to increase the accuracy of analysis in a way that reduces efficiency. Even so, like some with long-term latent behaviors A malicious sample, because it is impossible to wait indefinitely, cannot obtain its malicious behavior.
参见图4,图4为本公开的功能模块示意图。Refer to FIG. 4, which is a schematic diagram of functional modules of the present disclosure.
本公开还提供一种扫描设备,所述扫描设备包括:获取模块10,启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析模块20,分析在所述时间变速模式下的记录日志是否存在恶意行为;判定模块30,若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。The present disclosure also provides a scanning device. The scanning device includes: an acquisition module 10 that starts a time-variable mode of the virtual machine to obtain a log of a tested sample in the time-variable mode of the virtual machine; an analysis module 20 To analyze whether the recorded log in the time variable speed mode has malicious behavior; the determination module 30, if the recorded log has malicious behavior, determine the time dimension latent behavior of the tested sample according to the type of the time variable speed mode Types of.
本公开恶意样本检测检测装置的实施方式与恶意样本检测方法各实施例基本相同,在此不再赘述。The implementation of the malicious sample detection and detection device of the present disclosure is basically the same as the embodiments of the malicious sample detection method, and details are not described herein again.
本公开提供了一种存储介质,所述存储介质存储有一个或者一个以上程序,所述一个或者一个以上程序还可被一个或者一个以上的处理器执行以用于实现上述任一项所述的恶意样本检测方法的步骤。The present disclosure provides a storage medium that stores one or more programs, and the one or more programs may also be executed by one or more processors to implement any of the above Steps of malicious sample detection method.
本公开存储介质实施方式与恶意样本检测方法各实施例基本相同,在此不再赘述。The embodiments of the storage medium of the present disclosure are basically the same as the embodiments of the malicious sample detection method, which will not be repeated here.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者终端中还存在另外的相同要素。It should be noted that in this article, the terms "include", "include" or any other variant thereof are intended to cover non-exclusive inclusion, so that a process, method, article or terminal that includes a series of elements includes not only those elements, It also includes other elements that are not explicitly listed, or include elements inherent to this process, method, article, or terminal. Without more restrictions, the element defined by the sentence "include one..." does not exclude that there are other identical elements in the process, method, article, or terminal that includes the element.
上述本公开实施例序号仅仅为了描述,不代表实施例的优劣。The sequence numbers of the above-mentioned embodiments of the present disclosure are for description only, and do not represent the merits of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本公开的技术方案本质上或者说对一些情况做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本公开各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods in the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, can also be implemented by hardware, but in many cases the former is better Implementation. Based on such an understanding, the technical solutions of the present disclosure can be embodied in the form of software products in essence or in some cases, and the computer software products are stored in a storage medium (such as ROM/RAM, The magnetic disk and the optical disk) include several instructions to enable a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to perform the methods described in the embodiments of the present disclosure.
本公开提出的恶意样本检测方法、装置、系统及存储介质,通过启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;分析在所述时间变速模式下的记录日志是否存在恶意行为;若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。本公开通过加快虚拟机的系统时间流逝,实现了通过时间变速快速触发恶意样本的时间潜伏行为,提高恶意样本动态行为分析效率和成功率。The malicious sample detection method, device, system and storage medium proposed by the present disclosure obtain the log of the tested sample in the time-varying mode of the virtual machine by starting the time-varying mode of the virtual machine; Whether the recording log under the variable speed mode has malicious behavior; if the recording log has malicious behavior, determine the type of latent behavior in the time dimension of the tested sample according to the type of the time variable speed mode. By speeding up the system time lapse of the virtual machine, the present disclosure realizes the time latent behavior of quickly triggering malicious samples through time shifting, and improves the efficiency and success rate of malicious sample dynamic behavior analysis.
以上仅为本公开的优选实施例,并非因此限制本公开的专利范围,凡是利用本公开说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本公开的专利保护范围内。The above are only preferred embodiments of the present disclosure and do not limit the patent scope of the present disclosure. Any equivalent structure or equivalent process transformation made by using the contents of the specification and drawings of the present disclosure, or directly or indirectly used in other related technical fields , The same reason is included in the scope of patent protection of this disclosure.

Claims (11)

  1. 一种恶意样本检测方法,其中,所述恶意样本检测方法应用于虚拟机,所述恶意样本检测方法包括以下步骤:A malicious sample detection method, wherein the malicious sample detection method is applied to a virtual machine, and the malicious sample detection method includes the following steps:
    启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;Start the time-variable mode of the virtual machine, and obtain a log of the tested sample in the time-variable mode of the virtual machine;
    分析在所述时间变速模式下的记录日志是否存在恶意行为;Analyze whether there is malicious behavior in the recording log under the time variable mode;
    若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。If there is malicious behavior in the recording log, the type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode.
  2. 如权利要求1所述的恶意样本检测方法,其中,所述时间变速模式包括线性变速模式,所述启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志的步骤之前包括:The malicious sample detection method according to claim 1, wherein the time-variable mode includes a linear-variable mode, the time-variable mode of starting the virtual machine, and acquiring the tested sample under the time-variable mode of the virtual machine The steps before logging include:
    设置线性变速模式的第一起始时刻、第一结束时刻和线性变速倍数;Set the first start time, the first end time and the linear speed multiple of the linear shift mode;
    所述启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志的步骤包括:The step of starting the time varying mode of the virtual machine and obtaining a log of the tested sample in the time varying mode of the virtual machine includes:
    在所述第一起始时刻启动所述线性变速模式;Starting the linear shift mode at the first starting moment;
    以预设正常速率的线性变速倍数的运行速率运行所述虚拟机至所述第一结束时刻;Running the virtual machine at a running speed of a linear speed multiple of a preset normal speed to the first end time;
    获取所述被测样本在所述第一起始时刻与所述第一结束时刻之间的记录日志,作为被测样本在所述线性变速模式下的记录日志。Obtain a record log of the tested sample between the first start time and the first end time as a record log of the tested sample in the linear shift mode.
  3. 如权利要求1所述的恶意样本检测方法,其中,所述时间变速模式包括跳变变速模式,所述启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志的步骤之前包括:The malicious sample detection method according to claim 1, wherein the time variable speed mode includes a jump variable speed mode, the time variable speed mode of starting the virtual machine, and a time variable speed mode of acquiring the tested sample in the virtual machine The steps under the logging before include:
    设置跳变变速模式的第二起始时刻、第二结束时刻、跳过时间和第三结束时刻;Set the second start time, the second end time, the skip time and the third end time of the jump speed change mode;
    所述启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志的步骤包括:The step of starting the time varying mode of the virtual machine and obtaining a log of the tested sample in the time varying mode of the virtual machine includes:
    在所述第二起始时刻启动所述跳变变速模式;Starting the jump speed change mode at the second starting moment;
    控制所述虚拟机跳过所述跳过时间运行至所述第二结束时刻;Controlling the virtual machine to skip the skip time to run to the second end time;
    在所述第二结束时刻,控制所述虚拟机以所述预设正常速率运行至第三结束时刻;At the second end time, controlling the virtual machine to run at the preset normal rate until the third end time;
    获取所述被测样本在所述第二结束时刻和所述第三结束时刻之间的记录日志,作为被测样本在所述跳变变速模式下的记录日志。Obtain a record log of the test sample between the second end time and the third end time as a record log of the test sample in the jump speed change mode.
  4. 如权利要求2或3所述的恶意样本检测方法,其中,所述启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志的步骤之前还包括:The malicious sample detection method according to claim 2 or 3, wherein the step of starting the time-varying mode of the virtual machine and obtaining a log of the tested sample in the time-varying mode of the virtual machine further includes :
    以所述预设正常速率运行所述虚拟机,获取所述被测样本的记录日志;Running the virtual machine at the preset normal rate to obtain a log of the tested sample;
    分析在所述预设正常速率下的记录日志是否存在恶意行为;Analyze whether the recorded logs at the preset normal rate have malicious behavior;
    若在所述预设正常速率下的记录日志存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为;If there is malicious behavior in the recording log at the preset normal rate, it is determined that there is no latent behavior in the time dimension in the tested sample;
    若不存在,则执行步骤:启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志。If it does not exist, the step is executed: starting the time-variable mode of the virtual machine, and obtaining a log of the tested sample in the time-variable mode of the virtual machine.
  5. 如权利要求2或3所述的恶意样本检测方法,其中,所述若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型的步骤包括:The method for detecting a malicious sample according to claim 2 or 3, wherein if the recording log has malicious behavior, the step of determining the type of latent behavior in the time dimension of the sample under test according to the type of the time shift mode include:
    若所述记录日志存在恶意行为,则获取所述时间变速模式的类型;If there is malicious behavior in the recording log, the type of the time variable mode is acquired;
    根据所述时间变速模式的类型判断所述被测样本的时间维度潜伏行为类型。The type of latent behavior in the time dimension of the tested sample is determined according to the type of the time variable speed mode.
  6. 如权利要求1所述的恶意样本检测方法,其中,所述分析在所述时间变速模式下的记录日志是否存在恶意行为的步骤之后还包括:The malicious sample detection method according to claim 1, wherein the step of analyzing whether there is malicious behavior in the recording log in the time varying mode further comprises:
    若所述记录日志不存在恶意行为,则判定所述被测样本不存在时间维度潜伏行为。If there is no malicious behavior in the recording log, it is determined that there is no latent behavior in the time dimension in the tested sample.
  7. 如权利要求2所述的恶意样本检测方法,其中,所述第一起始时刻和第一结束时刻为真实世界时间,与所述第一结束时刻对应的虚拟机系统时刻=第一起始时刻+线性变速倍数×(第一结束时刻-第一起始时刻)。The malicious sample detection method according to claim 2, wherein the first start time and the first end time are real-world time, and the virtual machine system time corresponding to the first end time = first start time + linear Variable speed multiple × (first end time-first start time).
  8. 如权利要求3所述的恶意样本检测方法,其中,所述第二起始时刻、第二结束时刻和第三结束时刻为真实世界时间,与所述第二结束时刻对应的虚拟机系统时刻=第二起始时刻+跳过时间,与所述第三结束时刻对应的虚拟机系统时刻=第二起始时刻+跳过时间+(第三结束时刻-第二结束时刻)。The malicious sample detection method according to claim 3, wherein the second start time, second end time, and third end time are real-world time, and the virtual machine system time corresponding to the second end time = The second start time + skip time, the virtual machine system time corresponding to the third end time = second start time + skip time + (third end time-second end time).
  9. 一种恶意样本检测装置,其中,所述恶意样本检测装置包括:A malicious sample detection device, wherein the malicious sample detection device includes:
    获取模块,启动所述虚拟机的时间变速模式,获取被测样本在所述虚拟机的时间变速模式下的记录日志;An obtaining module, starting the time-variable mode of the virtual machine, and obtaining a log of the tested sample in the time-variable mode of the virtual machine;
    分析模块,分析在所述时间变速模式下的记录日志是否存在恶意行为;The analysis module analyzes whether the recorded log in the time variable speed mode has malicious behavior;
    判定模块,若所述记录日志存在恶意行为,则根据所述时间变速模式的类型判断所 述被测样本的时间维度潜伏行为类型。The judging module, if there is malicious behavior in the recording log, judges the type of latent behavior in the time dimension of the tested sample according to the type of the time variable speed mode.
  10. 一种恶意样本检测系统,其中,所述恶意样本检测系统包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的恶意样本检测程序,所述恶意样本检测程序被所述处理器执行时实现如权利要求1至8中任一项所述的恶意样本检测方法的步骤。A malicious sample detection system, wherein the malicious sample detection system includes: a memory, a processor, and a malicious sample detection program stored on the memory and executable on the processor, the malicious sample detection program being The processor executes the steps of the malicious sample detection method according to any one of claims 1 to 8 when executed.
  11. 一种存储介质,其中,所述存储介质上存储有恶意样本检测程序,所述恶意样本检测程序被处理器执行时实现如权利要求1至8中任一项所述的恶意样本检测方法的步骤。A storage medium, wherein a malicious sample detection program is stored on the storage medium, and when the malicious sample detection program is executed by a processor, the steps of the malicious sample detection method according to any one of claims 1 to 8 are implemented .
PCT/CN2019/126752 2018-12-26 2019-12-19 Malicious sample detection method, apparatus and system, and storage medium WO2020135232A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811604795.1 2018-12-26
CN201811604795.1A CN111368295A (en) 2018-12-26 2018-12-26 Malicious sample detection method, device and system and storage medium

Publications (1)

Publication Number Publication Date
WO2020135232A1 true WO2020135232A1 (en) 2020-07-02

Family

ID=71128459

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/126752 WO2020135232A1 (en) 2018-12-26 2019-12-19 Malicious sample detection method, apparatus and system, and storage medium

Country Status (2)

Country Link
CN (1) CN111368295A (en)
WO (1) WO2020135232A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101959193A (en) * 2010-09-26 2011-01-26 宇龙计算机通信科技(深圳)有限公司 Information safety detection method and a mobile terminal
CN103106364A (en) * 2011-11-15 2013-05-15 株式会社日立制作所 Program analyzing system and method
CN103823711A (en) * 2014-03-05 2014-05-28 华为技术有限公司 Method and device for providing relative timing in Java virtual machine
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN105678164A (en) * 2014-11-20 2016-06-15 华为技术有限公司 Method and device for detecting malicious software

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9519781B2 (en) * 2011-11-03 2016-12-13 Cyphort Inc. Systems and methods for virtualization and emulation assisted malware detection
WO2014147618A1 (en) * 2013-03-20 2014-09-25 Israel Aerospace Industries Ltd. Accelerating a clock system to identify malware
US9542554B1 (en) * 2014-12-18 2017-01-10 Palo Alto Networks, Inc. Deduplicating malware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101959193A (en) * 2010-09-26 2011-01-26 宇龙计算机通信科技(深圳)有限公司 Information safety detection method and a mobile terminal
CN103106364A (en) * 2011-11-15 2013-05-15 株式会社日立制作所 Program analyzing system and method
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103823711A (en) * 2014-03-05 2014-05-28 华为技术有限公司 Method and device for providing relative timing in Java virtual machine
CN105678164A (en) * 2014-11-20 2016-06-15 华为技术有限公司 Method and device for detecting malicious software

Also Published As

Publication number Publication date
CN111368295A (en) 2020-07-03

Similar Documents

Publication Publication Date Title
US10210332B2 (en) Identifying an evasive malicious object based on a behavior delta
US8984642B2 (en) Detecting security vulnerabilities in web applications
US20170039369A1 (en) Configuring a sandbox environment for malware testing
US10019581B2 (en) Identifying stored security vulnerabilities in computer software applications
US20150331882A1 (en) Redundant file deletion method, apparatus and storage medium
US20130019171A1 (en) Automating execution of arbitrary graphical interface applications
US20180300222A1 (en) Monitoring Activity of Software Development Kits Using Stack Trace Analysis
KR102105753B1 (en) Method and system for automatic configuration test case generation of mobile application
US11880458B2 (en) Malware detection based on user interactions
US8752027B2 (en) Injecting faults into program for testing software
US11182479B2 (en) Call stack acquisition device, call stack acquisition method, and call stack acquisition program
US9027145B2 (en) Method and apparatus for detecting leak of information resource of device
TWI656453B (en) Detection system and detection method
CA2811617A1 (en) Commit sensitive tests
JP6238221B2 (en) Apparatus, method and program for monitoring execution of software
US20220198013A1 (en) Detecting suspicious activation of an application in a computer device
WO2020135232A1 (en) Malicious sample detection method, apparatus and system, and storage medium
CN106708705B (en) Terminal background process monitoring method and system
US20070061781A1 (en) Stochastic testing directed by static test automation
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
CN112506782A (en) Application program testing method, device, equipment and storage medium
CN111382017A (en) Fault query method, device, server and storage medium
US11727111B1 (en) Detecting malware by linking background intelligent transfer service (BITS) and scheduled task service (STS) activities to a source program
JPWO2019049478A1 (en) Call stack acquisition device, call stack acquisition method, and call stack acquisition program
US11836063B2 (en) System, control device, log extraction method, and computer-readable medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19901779

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/11/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19901779

Country of ref document: EP

Kind code of ref document: A1